Older point-of-sale (POS) terminals that process magnetic stripe payment cards have become popular targets for cybercriminals. In particular, a group that calls itself BearsInc is infecting these older POS terminals with malware dubbed TreasureHunt. The cybercriminals have one goal in mind: steal payment card data from those terminals’ memories.
The BearsInc members are probably feeling like kids in a candy store these days. Older POS terminals are still widely used in the United States, despite payment card companies having moved to the more secure chip-based payment cards (also known as EMV cards or chip-and-PIN cards). For example, a 2016 survey by CardHub found that 42 percent of U.S. retailers have not yet upgraded their terminals, and another 24 percent have converted less than half of them.
The attacks on the older POS terminals have been intensifying, with small and midsize businesses being the main targets, according to Trend Micro research. Cybercriminals have recently stepped up their efforts, as they know that malware like TreasureHunt will become useless once all businesses transition to chip-based payment cards and the new POS terminals. That’s because chip-based payment cards create a unique transaction code each time they are used. These codes cannot be used again. If transaction information is stolen, any attempt to re-use that data would result in the card being declined.
How the TreasureHunt Malware Works
POS malware can be spread a variety of ways, including spam and exploit kits. These types of attacks throw out a wide net in hope of catching a few victims. TreasureHunt, though, takes a more targeted approach. It is spread through the manual hacking of terminals. BearsInc members access the older POS terminals using stolen credentials or cracked passwords. After they gain access, they install the TreasureHunt malware on the POS terminal.
TreasureHunt first makes changes to the registry so that it will run even if someone reboots the terminal. Next, the malware searches for payment card information in processes running in the system’s memory. Every time the malware finds some data, it encodes and sends the data to the command and control server operated by BearsInc. BearsInc then sells the payment card data it steals in data dumps on the Internet.
What You Can Do to Avoid Becoming a Victim
If your business accepts physical payment cards, you can avoid becoming a victim of TreasureHunt or similar malware by switching to the new POS terminals, if you haven’t already done so. In addition, you should use unique, strong passwords for these POS terminals. Although the terminals will not be susceptible to TreasureHunt, cybercriminals might try to access them for other nefarious reasons. If you use unique, strong passwords, it will be much harder for cybercriminals to gain access to the terminals.
Plus, you might want to take steps to protect your business’s payment cards. Make sure that they have the chip technology. Equally important, when you need to buy supplies or equipment for your business at brick-and-mortar stores, purchase those items at retailers with the new POS terminals.